Advanced Guides

It looks like your Javascript isn't working. This website requires you to have Javascript enabled. However we have an old documentation where you might be able to find your answer.

Cryptographic verification of installation files

We digitally sign various files with our GPG key so that you can check whether they're legit, i.e. whether they really came from Phusion and haven't been tampered with by a third party. We apply signing since the open source version 4.0.0 RC 4, or the Enterprise version 4.0.0 RC 1.

Table of contents

Importing Phusion' GPG keys

Phusion's GPG keys for signing software are as follows:

Phusion Software Signing (software-signing@phusion.nl)
Short key ID: 0x0A212A8C
Long key ID: 0x2AC745A50A212A8C
Fingerprint: D5F0 8514 2693 9232 F437 AB72 2AC7 45A5 0A21 2A8C

This key is stored at our server and keyserver.ubuntu.com. You can import it to your keyring with one of these commands:

curl https://oss-binaries.phusionpassenger.com/phusion-software-signing-gpg-key.txt | gpg --import

-OR-

gpg --keyserver hkp://keyserver.ubuntu.com:80 --search-keys 0x2AC745A50A212A8C

Phusion Automated Software Signing (Used by automated tools to sign software packages) auto-software-signing@phusion.nl
Short Key ID: 0xAC40B2F7
Long Key ID: 0x561F9B9CAC40B2F7
Fingerprint: 1637 8A33 A6EF 1676 2922 526E 561F 9B9C AC40 B2F7

This key is stored at our server and keyserver.ubuntu.com. You can import it to your keyring with one of these commands:

curl https://oss-binaries.phusionpassenger.com/auto-software-signing-gpg-key.txt | gpg --import

-OR-

gpg --keyserver hkp://keyserver.ubuntu.com:80 --search-keys 0x2AC745A50A212A8C

The Phusion Software Signing key is only used for manually signing software, and the Phusion Automated Software Signing key is only used for automatically signing software & our repositories. They're never used for signing emails or for encrypting files, so please be suspicious if you encounter usage of these keys outside the context of signing software or our repositories, and alert us at security@phusion.nl. Include "notspam" in the message to bypass our spam filter.

The email addresses software-signing@phusion.nl and auto-software-signing@phusion.nl redirect to info@phusion.nl so it's safe to send email there.

Verifying the Phusion Software Signing key

The Phusion Software Signing key is also signed by the Phusion founders. Their keys are as follows:

Hongli Lai (hongli@phusion.nl)
Short key ID: 0x8C59158F
Long key ID: 0xCD70085E8C59158F
Fingerprint: 218A 7255 83D0 2ECE F3A9 C2A7 CD70 085E 8C59 158F

Ninh Bui (ninh@phusion.nl)
Short key ID: 0x69481265
Long key ID: 0xAE405F7869481265
Fingerprint: A77C 9CEF 766D 0E7D A95B 8778 AE40 5F78 6948 1265

Both keys are stored at keyserver.ubuntu.com. Import them with:

gpg --keyserver hkp://keyserver.ubuntu.com:80 --search-keys 0xCD70085E8C59158F
gpg --keyserver hkp://keyserver.ubuntu.com:80 --search-keys 0xAE405F7869481265

Verifying the gem and tarball

For the Enterprise version, all GPG signatures can be found in the Customer Area. The GPG signature of the latest open source tarball can be downloaded from here and for the latest gem the signature is here.

All signatures have the '.asc' extension. Once you have imported our key, you can verify the validity of a file against its signature as follows:

$ gpg --verify passenger-x.x.x.tar.gz.asc passenger-x.x.x.tar.gz
gpg: Signature made Mon Mar 11 09:45:46 2013 CET using RSA key ID 0A212A8C
gpg: Good signature from "Phusion Software Signing <software-signing@phusion.nl>"

Verifying Git signatures

Some older tags in the Git repository for the open source version are also signed. You can verify a Git tag as follows:

$ git tag --verify release-x.x.x
object d886f34b5705e4314feccaf0d77b9a38416e15e0
type commit
tag release-4.0.0.rc5
tagger Hongli Lai (Phusion) <hongli@phusion.nl> 1362993117 +0100

This is a tag message.
gpg: Signature made Mon Mar 11 10:12:02 2013 CET using RSA key ID 0A212A8C
gpg: Good signature from "Phusion Software Signing <software-signing@phusion.nl>"

Verifying Debian packages

Our APT repository is signed by Phusion Automated Software Signing (auto-software-signing@phusion.nl). Packages are automatically checked upon installation.

Verifying RPM packages

Our RPM repository is signed by Phusion Automated Software Signing (auto-software-signing@phusion.nl). Packages are automatically checked upon installation.

Revocation

In the event our key is compromised, we will revoke the key and upload the revocation information to keyserver.ubuntu.com. However your system will not know about the revocation until you update the keys from the keyservers. You should update your keys regularly (e.g. once a week) by invoking:

gpg --refresh-keys --keyserver hkp://keyserver.ubuntu.com:80

If you installed Passenger through our APT repository, then you should update APT's copy from time to time as well:

curl https://oss-binaries.phusionpassenger.com/auto-software-signing-gpg-key.txt | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/phusion.gpg >/dev/null

Back

Edit page

Passenger 6

Passenger 6 has arrived!

Learn about the new features: Generic Language Support. Or jump straight to the GLS guides.